AUS920010942US1 
Koved et al. 

Method and Apparatus for Implementing Permission Based 
Access Control Through Permission Type Inheritance 

1/9 

100 

S 




FIG. 1 



CLIENT 



202 



PROCESSOR 



1 



204 



PROCESSOR 



SYSTEM BUS 



I 



208 



MEMORY 
CONTROLLER/ 
CACHE 



209- 



I 



I/O BRIDGE 



LOCAL 
MEMORY 



212- 



230 



s 



GRAPHICS 
ADAPTER 



232^" 



HARD DISK 



I/O 
BUS 



FIG. 2 O 



206 



210 



214 



PCI BUS 
BRIDGE 



222 



PCI BUS 
BRIDGE 



PCI BUS 
BRIDGE 

224 



200 



PCI BUS 



216 



MODEM 



31 



> 



NETWORK 
ADAPTER 



218 220 
PCI BUS 



226 



PCI BUS 



228 



AUS920010942US1 
Koved et al. 

Method and Apparatus for Implementing Permission Based 
Access Control Through Permission Type Inheritance 



300. 



FIG. 3 



2/9 



PROCESSOR C=0 



~7" 

302 



HOST/PCI 
CACHE/BRIDGE 



308 



I 



MAIN 
MEMORY 



BUS 



304 



AUDIO 
ADAPTER 



I 



316 



SCSI HOST 
BUS ADAPTER 



312 



306 



1£ 



LAN 
ADAPTER 



31 



DISK 



TAPE 



CD-ROM 



EXPANSION 

BUS 
INTERFACE 

314 



If 



GRAPHICS 
ADAPTER 



318 



AUDIO/ 
VIDEO 
ADAPTER 

319 



-326 

328 ^332 
•330 



KEYBOARD AND 
MOUSE ADAPTER 



320 



MODEM 



322 



MEMORY 



324 



FIG. 4 



SERVER 420 



APPLET 



WEB PAGE 



CLIENT DEVICE 



WEB BROWSER 
480 

^_ 



440 



445 



BYTEC0DE VERIFIER 



APPLET CLASS LOADER 



SECURITY MANAGER 



ACCESS CONTROLLER 
2= 



485 



APPLET CLASS 



NAMESPACE 



470 



460 



450 



JAVA VIRTUAL MACHINE 



415 



s 

^410 



_J 



AUS920010942US1 
Koved et a I. 

Method and Apparatus for Implementing Permission Based 
Access Control Through Permission Type Inheritance 

3/9 



IBMPermission 




FIG. 5 



Permission3 



FIG. 6 



Bytecode 



JVM 



Untrusted 
Resource 
Access 
Request 



o 



Grant 
Resource 
Access 
Request 



, Security 
Manager 



Invoke 
Security 
Manager 



o 



Return 
Result of 
Permission 

Check 



Access 
Controller 



Permission 



SecurityManager 
checkPermission 



Access 
Control 
Context 



Get AccessControlContext 



1 

AccessControlContext 

checkPermissionQ 



Call implies 
Method on 
Permission 



Call newPermissionCo 

K 



lection 



Add Permission and (optionally) 
all Subclass Permissions to 
Permission Collection 



Return 
Result of 
Permission 
, Check 


< 

Add Permissi 

to AccessCc 

i 


on Collection 
)ntrolContext 

l. 









AUS920010942US1 
Koved et al. 

Method and Apparatus for Implementing Permission Based 
Access Control Through Permission Type Inheritance 

4/9 



FIG. 7A 

import java.security.BasicPermission; 
import java.security.Permission; 
import java.security.PermissionCollection; 
import java.utiLHashtable; 
import java.util. Enumeration; 

public class IBMPermission extends BasicPermission 
public IBMPermissionQ 
super (" '0; 

System.out.println("Constructor IBMPermissionQ called"); 
public IBMPermission(String target) 
super(target); 

System.out.println("Constructor IBMPermission(target) called"); 

public IBMPermission(String target, String actions) 
super(target, actions); 

System.out.println("Constructor IBMPermission(target, actions) called"); 
public boolean implies(Permission perm) 

System.out.println( c< IBMPermission.implies() called"); 

if (perm instanceof IBMPermission) 

return true; 
return false; 

i 

public PermissionCollection newPermissionCollectionQ 

\ 

return new IBMPermissionCollection(); 
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final class IBMPermissionCollection extends PermissionCollection 
implements java.io.Serializable 



i 



private Hashtable permissions; 

public IBMPermissionCollectionQ FIG. 7B 

^ permissions = new HashtableQ; 

public void add(Permission permission) 

^ if (! (permission instanceof IBMPermission)) 

throw new IllegalArgumentException("Invalid Permission: " + 

permission); 

IBMPermission ibmp = (IBMPermission) permission; 
permissions. put(ibmp.getName(), permission); 

public boolean implies (Permission permission) 

if (! (permission instanceof IBMPermission)) 
return false; 

System. out.println( l 'permission instanceof IBMPermission == true"); 

IBMPermission ibmp = (IBMPermission) permission; 

String permName = ibmp.getName(); 

Permission x = (Permission) permissions.get(permName); 

if (x != null) 

System. out.println("We have a direct hit! " + x.getName()); 
return x.implies(permission); 

Enumeration permEnum = permissions. elementsQ; 
while (permEnum. hasMoreElementsQ) 

x = (IBMPermission) permEnum. nextElement(); 
System.out.println(x.getName()); 

if (x.implies(permission)) 
return true; 

i 

return false; 

i 

public enumeration elements() 

^ return permissions. elementsQ; 



AUS920010942US1 
Koved et al. 

Method and Apparatus for Implementing Permission Based 
Access Control Through Permission Type Inheritance 

import java.security.PermissionCollection; 6/9 
import java.security.AccessController; 

import java. security .AccessControlContext; WTP *? ' C 

import java.security.AccessControlException; 1 Y m * ^ 

public class WSPermission extends IBMPermission 
^ public WSPermission(String target) 
super(target); 

System.out.println("Constructor WSPermission(target) called"); 

public WSPermission(String target, String actions) 
super(target, actions); 

System.out.println("Constructor WSPermission(target, actions) called"); 

public WSPermission() 
super(""): 

System.out.println("Constructor WSPermissionQ called"); 

A* 

* Returns a new IBMPermissionCollection object for storing IBMPermission 

* objects. 

* <p> 

* An IBMPermissionCollection stores a collection of 

* IBMPermission permissions. 

* <p> 

* IBMPermission objects must be stored in a manner that allows them 

* to be inserted in any order, but that also enables the 

* PermissionCollection <code>implies</code> method 

* to be implemented in an efficient (and consistent) manner. 
* 

* ©return a new IBMPermissionCollection object suitable for 

* storing IBMPermission's. 

*/ 

public PermissionCollection newPermissionCollection() 

System. out.println( ,t newPermissionCollection() was called"); 
IBMPermissionCollection ibmPC = new IBMPermissionCollectionQ; 

// the code here checks if an IBMPermissionCollection has been granted. 
//If yes, then the PermissionCollection returned by this 
// method should contain a WSPermission. 

AccessControlContext acc = AccessController.getContext(); 
try 

acc.checkPermission(new IBMPermission( << PermissionTest")); 
j ibmPC.add(new WSPermission("PermissionTest")); 

catch (AccessControlException ace) 

j System.out.printlnO'IBMPermission WAS NOT GRANTED"); 
return ibmPC; 



\ 
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FIG. 8 

import java.io.*; 

public class PermissionTest 

public static void main(String args[]) 



try 
i 



worked.\n\n\rT); 



SecurityManager sm = System.getSecurityManager(); 
if (sm != null) 

System.out.println("SecurityManager is checking for " + 

■permission"); 

^ sm.checkPermission(new WSPermission( << PermissionTest M )); 

System. out.println("WSPermission was granted. " + 

"Permission testing 



File inputFile = new File("C:\\winzip.log M ); 
FilelnputStream fis = new FilelnputStream(inputFile); 
InputStreamReader isr = new InputStreamReader(fis); 
BufferedReader br = new BufferedReader(isr); 

String lineRead; 

while ((lineRead = br.readLine()) != null) 
System.out.println(lineRead); 



catch (Exception e) 

e.printStackTra'ceQ; 
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package sun.security.provider; 

import java.security.PermissionCollection; 
import java.security.CodeSource; 
import IBMPermission; 
import WSPermission; 

public class MarcoPolicy extends PolicyFile 



\ 



public PermissionCollection getPermissions(CodeSource codesource) 



I 



PermissionCollection pc = super.getPermissions(codesource); 

if (pc == null) 
return null; 

if (pc.impliesfnew IBMPermission ("PermissionTest"))) 

pc.add(new WSPermission( <t PermissionTest ,, )); 

return pc; 



! 



